secldifconv Command

Purpose

Converts user and group entries of an LDIF from one schema type to another.

Syntax

secldifconv [-R load_module ] -S schematype -i inputFile [ -r ]

Description

The secldifconv command reads the ldif formatted input file specified by the -i option, converts the user and group data using the schema type specified by the -S option, and prints the result to stdout. If redirected to a file, the result can be added to an LDAP server with the ldapadd command or the ldif2db command.

The -S option specifies the conversion schema type used for the ldif output. The secldifconv command accepts the following schema types:
  • AIX® - AIX schema (aixaccount and aixaccessgroup objectclasses)
  • RFC2307 - RFC 2307 schema (posixaccount, shadowaccount, and posixgroup objectclasses)
  • RFC2307AIX - RFC 2307 schema with full AIX support (posixaccount, shadowaccount , and posixgroup objectclasses, plus the aixauxaccount and aixauxgroup objectclasses).

The input file specified with the -i option can include entries in any of the above supported schemas. The secldifconv command will convert user and group entries according to the attribute mapping defined in the /etc/security/ldap/*.map files for the corresponding schema type. Only user and group entries will be converted, other entries are output unaltered.

Use of the -r option allows the removal of attributes in user and group entries that are not included in the specified output schema. If the option is not specified then unrecognized attributes are assumed to be valid and are output unaltered. Note that if the user or group attribute is defined in the schema secldifconv is converting from but not in the schema requested to convert into, then the attribute will not be output. This behavior allows for conversion between the AIX and RFC2307AIX schemas to the RFC2307 schema which contains a subset of attributes.

In releases of AIX prior to AIX 5.3, when the AIX schema was used to store entries in LDAP, the user's password was stored without an encryption prefix (that is, {crypt}). If the db2ldif command is used to generate the input file for secldifconv, passwords without an encryption prefix are output in {IMASK} format. In order to convert the {imask} format into the proper {crypt} format, the -R option should be used to specify the Loadable I&A module to read the password from for conversions from AIX schema type, assuming the system has been previously configured to be an LDAP client.

Care should be taken when adding users and groups from other systems to the LDAP server using the secldifconv command output. The ldapadd and ldif2db commands check only for entry name (user name or group name) but not for the numeric ID when adding entries. Merging users and groups from multiple servers using secldifconv output can result in sharing of a numeric ID by multiple accounts, which is a security violation. Note that IBM® Directory Server 5.2 and later supports a unique attribute feature that can be used to avoid this issue.

Flags

Item Description
-R load_module Specifies the loadable I&A module used to retrieve the user's password if necessary.
-S schematype Specifies the output LDAP schema type. Valid values are AIX, RFC2307, and RFC2307AIX.
-i inputFile Specifies the input file in ldif format that contains user and group data to convert.
-r Specifies to remove any attributes that are not defined in the specified schema type.

Exit Status

This command returns the following exit values:

Item Description
0 The command completed successfully.
>0 An error occurred.
-1 Memory failure (that is, Memory allocation failure).

Examples

  1. To convert entries in a ldif formatted file to the rfc2307 schema, type the following:
    secldifconv -S rfc2307 -i input.ldif
    This displays the converted file to stdout in ldif format. User entries and group entries are converted into the rfc2307 schema type.
  2. To convert entries in a ldif formatted file to the rfc2307aix schema and remove unrecognized attributes, type the following:
    secldifconv -R LDAP -S rfc2307aix -i input.ldif -r > convert.ldif
    This sends the output of the command to the convert.ldif file in ldif format. Unrecognized attributes are removed during conversion and user passwords will be requested from the LDAP module if necessary.

Location

/usr/sbin/secldifconv

Files

Mode File
r /etc/security/ldap/2307aixgroup.map
r /etc/security/ldap/2307aixuser.map
r /etc/security/ldap/2307group.map
r /etc/security/ldap/2307user.map
r /etc/security/ldap/aixgroup.map
r /etc/security/ldap/aixuser.map